Facebook was known to aggressively filter URLs too if posted too often.
selridge•Feb 14, 2026
Ironic seeing this as a medium post.
written-beyond•Feb 14, 2026
I want to thank you dear poster and author, I feel genuinely refreshed reading a short interesting post sans status quo topic.
Waiting for the next part!
0______0•Feb 15, 2026
Right? It's so short and...just ends. Been too fatigued reading essays on just about everything. I loved this one.
jen729w•Feb 15, 2026
Alas Medium interrupted my journey to that nirvana.
ticoombs•Feb 15, 2026
I have blocked medium.com because of that. Same as the SEO spam dev.to.
It's actually interesting how often I end up seeing the uBlock 'blocked' page because of it. And how blind I end up being to the serp domains.
I of course can click the bypass button on a case by case basis.
anthk•Feb 15, 2026
I just replace medium.com with scribe.rip in the URL.
dvfjsdhgfv•Feb 15, 2026
Strangely enough I enjoyed this abrupt ending, too. The lack of typical "It's not the end — it's just the beginning!" turned out surprisingly refreshing.
samename•Feb 14, 2026
Ironic the Apple App store allows a "phone antivirus" to exist.
ronsor•Feb 14, 2026
Funnily enough that's given as an example of a prohibited type of app in their review guidelines.
cwillu•Feb 15, 2026
@PlatoIsADisease (because dead comments can't be replied): the term WalledGarden has been a term for this and related concepts since long before marketing-speak had completed the takeover of the internet.
krackers•Feb 15, 2026
But it's rated 4.4 stars!
I'm guessing it hoovers your contacts and tries to get you to sign up for the IAP subscription.
jsheard•Feb 15, 2026
The meta these days is bundling dodgy SDKs which turn the device into a residential proxy, which then gets sold on to the highest bidder. Mostly AI companies, whose desire to scrape literally everything has driven demand for that type of malware into the stratosphere.
walletdrainer•Feb 15, 2026
Surely that doesn’t work very well on iOS devices unless you’re actively holding the location api open or something, which would be noisy.
xp84•Feb 15, 2026
Almost unbelievable that they allow this - except of course they do, because scamware makes a ton of money via in-app purchase, and Apple gets 30%, so of course they do. I'm sure people will come out of the woodwork now to white knight for Apple and spin this somehow. But anything that offends their business model can be removed in minutes, while software that by its title violates the App Store rules is just here indefinitely.
9dev•Feb 15, 2026
I'm pretty sure that one made it through the review for some reason, you don't typically see these apps in the App Store.
shepherdjerred•Feb 15, 2026
there's a ton of these apps. if you turn off your adblock, use your iPhone for a bit and click a few ads, you'll find a bunch.
cbarrick•Feb 15, 2026
Quite an unhinged take.
The claim that malware "makes a ton of money" for Apple definitely needs a citation. I certainly don't believe it.
Obviously, Apple understands that the reputational damage from malware is more costly than any cut they might get from the miniscule sales of it. Apple might be evil (for some definition of "evil"), but they're not dumb.
Occam's Razor and Halon's Razor are aligned here. Apple would prefer this app not exist, but somehow it slipped through the review.
mitemte•Feb 15, 2026
The App Store has done a great job of training users to think that anything downloaded from it is somehow safe. In reality, Apple’s static code analysis and human review processes are flawed and people need to exercise way more caution than they do.
halapro•Feb 15, 2026
Curated App Store, they said. Might have been true in 2010
alex1138•Feb 15, 2026
I thought this was going to be about how links have become harder and harder to follow on Insta. The login walls got progressively stronger (it feels like) and now it's just hard blocked
Sorry, Zuck. Not signing up for Insta, though you probably made a shadow profile of me
hdjY28•Feb 15, 2026
FOA means “family of apps”. Source: Meta’s quarterly earning reports
neya•Feb 15, 2026
How does Apple allow this? Here I thought the App Store was supposedly superior to the Android eco-system and that's why Apple justified the insane 30% tax on developers back then
conception•Feb 15, 2026
Google Play was also 30%?
neya•Feb 15, 2026
Yeah but Google always allowed you to bypass that by allowing users to install apps outside of their store. Whereas Apple pitched it as a security concern only to allow whoever paid them a nice fat commission
FranklinJabar•Feb 15, 2026
I thought android allowed installing third party apps without going through the store. Isn't this 90% of the pitch of android to begin with?
est•Feb 15, 2026
It's fun and all, is there a way to safely host .html but does not allow rendering it?
CORS? sec-fetch-dest, sec-fetch-mode and sec-fetch-site ?
If storage.googleapis.com weren't operated by Google, the domain would be blocked by Google's "Safe Browsing" long time ago.
gruez•Feb 15, 2026
Serve it with content-type set to text/plain and browsers won't try to render it. You can try a random html file on github. If you click raw it'll get rendered as text.
While this probably works, you should also add a restrictive CSP (using the sandbox directive).
Forcing the download (via Content-Disposition header) would likely be even better, but it is annoying for users.
cxr•Feb 15, 2026
Replying to this comment because though it's vague in specifics it reads as authoritative and knowledgeable. In reality, it confuses/conflates multiple things.
Serving HTML source as text/plain is safe. No browser capable of understanding CSP is going to be at risk of anything that CSP would actually protect against in this case.
kccqzy•Feb 15, 2026
> If storage.googleapis.com weren't operated by Google, the domain would be blocked by Google's "Safe Browsing" long time ago.
Not true. You just need to make it an eTLD by adding it to the public suffix list. Only subdomains of domains on the PSL can be marked by Google’s Safe Browsing.
ghxst•Feb 15, 2026
The use of "storage.googleapis.com" is probably because it's an "authority" domain that apps can't easily ban without side effects. Buckets can typically be used as a static site host where u can host a client side redirect, depending on how you set it up you can make it almost impossible for an app to ban a campaign in real time.
notpushkin•Feb 15, 2026
This has some good uses, by the way! VPNs and news websites that are blocked in Russia use it to either mirror content or redirect to the newest version.
That’s probably “Family of Apps” instead, referring to the family of apps that Meta owns (e.g. IG, FB, WhatsApp, etc)
amne•Feb 15, 2026
At this point it must be intentional that there's always something uncanny about these fake pages. That google logo is so old that if I see it I immediately know to get out of there.
So I find it fascinating how there's always the odd typo, the old logo, the impossible combination of iPhone needing an antivirus, etc and I refuse to believe is incompetence.
flomo•Feb 15, 2026
Entirely intentional because they want to filter out anyone who can see how scammy it looks, so they don't waste their time. This is bulk spam stuff. If they are actually targeting you, it will look very real.
tgsovlerkhgsel•Feb 15, 2026
I don't buy it. The actor running the website likely gets paid for every user that installs the app or possibly even every user they direct at the app.
Even in the unlikely case that they get paid for achieving some later payoff, the "work" on the way there is almost certainly 100% automated so there is no harm in spraying the attack more widely (as opposed to Nigeria scams where pre-AI, pre-slave-farm, the scammers would have to invest significant amounts of a very limited resource - their time - on each victim).
devsda•Feb 15, 2026
Is there a common guide that all scammers follow ?
Many people also claim this is the real reason behind grammatical errors in nigerian prince email scams.
efilife•Feb 15, 2026
I found an e-mail spam service that said they needed to have typos on their website because it was better indexed for their target audience this way?
Weird
mmsc•Feb 15, 2026
Instagram blocks me from sending Facebook.com in DMs to people. No idea why and support doesn't help.
regenschutz•Feb 15, 2026
I tried visiting that link on my device, and after many redirects and uBO warning screens, I ended up on an AI content farm in my native language, Swedish.
numpad0•Feb 15, 2026
... why is the hxxps:// URL in the article linkified? It's a URL scheme created to explicitly mark URL as unsafe.
j1elo•Feb 15, 2026
With default uBlock Origin filters on mobile Firefox, all Medium blogs show up as a blank page. Which in this day and age is akin to saying that the page is utterly broken.
throwaway290•Feb 15, 2026
...and that shady "AI cleaner" is STILL on App Store? with 4.4 rating?
should App Store platform fees fund getting this stuff banned?
hypertexthero•Feb 15, 2026
This brings to mind this question:
Should HN allow links to sites that break the back button, like all Meta sites (Ig, Fb, etc)?
ckwalsh•Feb 15, 2026
Blackhole is the name of one of the services used in display-time malicious content filtering.
I’m guessing the urls in that db were either generating a ton of backend load, so they were pushed to devices, or perhaps are customized on a per user basis for some reason
18 Comments
Facebook was known to aggressively filter URLs too if posted too often.
Waiting for the next part!
It's actually interesting how often I end up seeing the uBlock 'blocked' page because of it. And how blind I end up being to the serp domains.
I of course can click the bypass button on a case by case basis.
The claim that malware "makes a ton of money" for Apple definitely needs a citation. I certainly don't believe it.
Obviously, Apple understands that the reputational damage from malware is more costly than any cut they might get from the miniscule sales of it. Apple might be evil (for some definition of "evil"), but they're not dumb.
Occam's Razor and Halon's Razor are aligned here. Apple would prefer this app not exist, but somehow it slipped through the review.
Sorry, Zuck. Not signing up for Insta, though you probably made a shadow profile of me
CORS? sec-fetch-dest, sec-fetch-mode and sec-fetch-site ?
If storage.googleapis.com weren't operated by Google, the domain would be blocked by Google's "Safe Browsing" long time ago.
While this probably works, you should also add a restrictive CSP (using the sandbox directive).
Forcing the download (via Content-Disposition header) would likely be even better, but it is annoying for users.
Serving HTML source as text/plain is safe. No browser capable of understanding CSP is going to be at risk of anything that CSP would actually protect against in this case.
Not true. You just need to make it an eTLD by adding it to the public suffix list. Only subdomains of domains on the PSL can be marked by Google’s Safe Browsing.
That’s probably “Family of Apps” instead, referring to the family of apps that Meta owns (e.g. IG, FB, WhatsApp, etc)
So I find it fascinating how there's always the odd typo, the old logo, the impossible combination of iPhone needing an antivirus, etc and I refuse to believe is incompetence.
Even in the unlikely case that they get paid for achieving some later payoff, the "work" on the way there is almost certainly 100% automated so there is no harm in spraying the attack more widely (as opposed to Nigeria scams where pre-AI, pre-slave-farm, the scammers would have to invest significant amounts of a very limited resource - their time - on each victim).
Many people also claim this is the real reason behind grammatical errors in nigerian prince email scams.
Weird
should App Store platform fees fund getting this stuff banned?
Should HN allow links to sites that break the back button, like all Meta sites (Ig, Fb, etc)?
I’m guessing the urls in that db were either generating a ton of backend load, so they were pushed to devices, or perhaps are customized on a per user basis for some reason